IETF Logo Mail Archive

Re: Accurate history [Re: "professional" in an IETF context]

Brian E Carpenter <brian.e.carpenter@gmail.com> Sun, 07 November 2021 21:21 UTC

Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 91FCD3A0DD3 for <ietf@ietfa.amsl.com>; Sun, 7 Nov 2021 13:21:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.428
X-Spam-Level:
X-Spam-Status: No, score=-5.428 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, NICE_REPLY_A=-3.33, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KW9GgziqfYIG for <ietf@ietfa.amsl.com>; Sun, 7 Nov 2021 13:21:39 -0800 (PST)
Received: from mail-pl1-x630.google.com (mail-pl1-x630.google.com [IPv6:2607:f8b0:4864:20::630]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0740C3A0DD2 for <ietf@ietf.org>; Sun, 7 Nov 2021 13:21:39 -0800 (PST)
Received: by mail-pl1-x630.google.com with SMTP id q17so2412631plr.11 for <ietf@ietf.org>; Sun, 07 Nov 2021 13:21:38 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=Sv5S2KcyumP9h4eYQu/hbOeiZFU4nyS+QIUUKiL7soo=; b=cld3xPabVHtaMsvisUtAOHxlOsJDl41CbFy52m+p3PST3LMNqxEJwLcSOsQfHH5SmS dwL6x+klwlNpn4iHCGVjAJ8A5OxGDniCA/RGiIkRIHgEPjVMU3SN5BbGVdbCMnftJX1b zt3IptBGndi1Go90mYBfwO/57NSEwLL1Wib3z4g95u16B/AiFKmkHmdIwqB8Qn+Jl5BT aTH+6TFJMPZKlKnN/alguyJsK7IOKJJybJ8TSyWXUptBxifClR/GIVzGaLXWwifpY2Ns vcwWbZIp2Xcv/BeEfcu92hu45MR/TOBDFo0wIo+7DqbHEr2OMLg+mbO5eIy+OdMlgUyH kjzw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=Sv5S2KcyumP9h4eYQu/hbOeiZFU4nyS+QIUUKiL7soo=; b=ToSa3IBzoLL95CFZ22+P7WYATBP4kfIvvNExZojo0z7WtB5VFAGwIh6wL6fqXWFn/O ACybCBZWjMo4YCDdD+5akfBrSjsGEFGkeDwfbSPRJmBXVNI81ZkVxzpCWRikv82X42v2 pMzJKoqKlwyu/YoQ9Uhgl3rxMR+SJ4yTbq+yUIs1eLdjPeggJ+h+B0trsYXy5cN3QIl5 cs0YkqIvD9RqYDxgI1qKpV6GjxXw/XZJP7BDVtP+bcwG8TxQeBlee27KKNNUzHCR5aYz g1eDX1wQy+3NIzNBQSyg7YhdeUB7PiiK6C7ZNDsBTWOG3E/93d5ox57nWSjjBY1VO+YW b4Lg==
X-Gm-Message-State: AOAM533cMhK/Zhm2jsmZRZfyt5xyaKHYUOtW6v+JCbxay95oAhaYnp/b IqDpiYkJ7yj7L0NP55cm9gqPM9/wgzdmnw==
X-Google-Smtp-Source: ABdhPJwetHmywzLFheQ/d9z0PpYCsF+Is5pM/Aye7ZciQhVRXeL2lkbQAeSDpxxiIa9jtOZ9VLS8Yw==
X-Received: by 2002:a17:90a:de0b:: with SMTP id m11mr46362048pjv.39.1636320096860; Sun, 07 Nov 2021 13:21:36 -0800 (PST)
Received: from ?IPv6:2406:e003:102d:e801:80b2:5c79:2266:e431? ([2406:e003:102d:e801:80b2:5c79:2266:e431]) by smtp.gmail.com with ESMTPSA id k14sm11324356pji.45.2021.11.07.13.21.34 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sun, 07 Nov 2021 13:21:36 -0800 (PST)
Subject: Re: Accurate history [Re: "professional" in an IETF context]
To: Vasilenko Eduard <vasilenko.eduard@huawei.com>, Stewart Bryant <stewart.bryant@gmail.com>
Cc: IETF <ietf@ietf.org>
References: <8F4B97EA-665F-4A59-B99D-791B4AB9F2F7@yahoo.co.uk> <885e62bf-7d6a-4501-a48a-e7c2cbf20382@joelhalpern.com> <e59adb61-a55c-7f5f-a60a-40bf186c139d@necom830.hpcl.titech.ac.jp> <CAC8QAceMSrfkqGTYcMNr3JargO3gxJqTaEyf02LGHd-KVeUDHw@mail.gmail.com> <6286da3e-2beb-9556-089a-2e1951573b1e@gmail.com> <59c80b60-438f-b10f-ad61-ba839f6e4f95@necom830.hpcl.titech.ac.jp> <e834916e85ea47ef94fce07c23928d2b@huawei.com> <37b299c8-e821-07e5-6240-68fb9d1ca137@gmail.com> <23b450fb11eb4a51bb4ee837b5c52657@huawei.com> <a805b50d-3ccd-dd2a-4931-6c6dc9a8ede3@necom830.hpcl.titech.ac.jp> <CAC8QAceY1gtK5v3WGMd4OB0z826jDiDDw_g1LbjWef7MKTnrcg@mail.gmail.com> <7d6af5bc-9663-7e4e-26ba-23fb1e4dccbe@necom830.hpcl.titech.ac.jp> <7238184A-53D6-42C3-B9C3-E333513A8636@sobco.com> <513d8f63-78c6-50ca-9d11-ee128af0d202@foobar.org> <f6ecd8af8e0040869e152b086e041a42@huawei.com> <E285424F-7E21-47BF-8235-BF9710F1593C@gmail.com> <23408009-7933-d1ed-6347-13092ee3abc9@gmail.com> <a9d6ed638692428aa5b67f16f961a1cc@huawei.com>
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Message-ID: <27da82b5-6bb5-30e3-a4b1-f119fa3afc32@gmail.com>
Date: Mon, 08 Nov 2021 10:21:32 +1300
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.10.0
MIME-Version: 1.0
In-Reply-To: <a9d6ed638692428aa5b67f16f961a1cc@huawei.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/egUe3ECCxt58CdOyUuXsPi1_WsQ>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 07 Nov 2021 21:21:44 -0000

On 08-Nov-21 00:00, Vasilenko Eduard wrote:
> If it is the best practice to disable "temporary addresses" (because it is fake privacy anyway)

I didn't say it was best practice. I expect it to be a common practice in enterprise networks, but the reason it's the recommended default for operating systems is so that individuals will benefit from the small amount of privacy it offers.

> Then what is the purpose of waisting (2^64-1)/2^64 of IPv6 addresses space?

We've debated this so often; I can only suggest reading RFC7136 and RFC7421 again, and the whole debate around the abandoned draft-ietf-6man-rfc4291bis. There is no consensus in the IETF for changing the /64 boundary.

> The next reason could be to greatly simplify Address Resolution Protocol (some link parameters still make sense to broadcast).
> 
> Or else, we have to accept that half of the address bits are just the garbage that every node needs to store and process.
> Except for a few bits that are needed on many subnets anyway to organize local connectivity.
> 
> About ARP storm:
> ND has much bigger DoS capabilities because
ARP storms were not DOS attacks; they were bugs built into combining certain IPv4 implementations with spanning tree bridges.

> - 2^64 subnet permits to push the router to find all 2^64 addresses, it could be done even from outside of the subnet
> - temporarily addresses 10x increase the load on the protocol and the same on the log and correlation engine (for LI, forensic, and troubleshooting)
> It is famous how WiFi degrades on any physical IETFevent because of the huge number of multicasts per second.

Sure. Building a single /64 that big is a very debatable design choice. The principle fix for ARP storms (and other forms of broadcast storms in IPv4) was subnetting. The same should apply to IPv6 network design.

> All of these multicasts would not be needed if MAC would be inside every IPv6 address as it was intended initially.
> It is the best use for these 64bits.

It's said that to make any Internet problem harder, just say "multicast". And it's true. But the real culprit here isn't "multicast", it's "scaling". Subnetting is the right answer and there is no shortage of /64s in the universe.

     Brian

> 
> Eduard
> -----Original Message-----
> From: Brian E Carpenter [mailto:brian.e.carpenter@gmail.com]
> Sent: Friday, November 5, 2021 11:13 PM
> To: Stewart Bryant <stewart.bryant@gmail.com>; Vasilenko Eduard <vasilenko.eduard@huawei.com>
> Cc: IETF <ietf@ietf.org>
> Subject: Re: Accurate history [Re: "professional" in an IETF context]
> 
> On 06-Nov-21 01:09, Stewart Bryant wrote:
>>
>>
>>> On 5 Nov 2021, at 11:10, Vasilenko Eduard <vasilenko.eduard@huawei.com <mailto:vasilenko.eduard@huawei.com>> wrote:
>>>
>>> What is important: Enterprises have no clear sign of IPv6 adoption.
>>> ND protocol has a heavy influence on this.
>>> Of course, ND is not the only reason. But maybe the biggest one.
>>
>> Indeed, and I have had a consistent complaint from a British security conscious large private sector technology savvy company, that IPv6 is so much harder to secure than IPv4 they have no interest in moving. I think that part of this is the conflict between the privacy that IPv6 offers and their need to know that *every* packet on their network is entitled to be there doing what it is doing.
> 
> 
> You can administratively disable "privacy" (temporary) addresses, but most sites find it safer to perform access control based on MAC addresses. Temporary addresses are intended to confuse the outside world, not the local network operator. They are *intended* to make lawful intercept harder. That's a feature, not a bug. I agree that they also make debugging harder, which may be another reason to disable them.
> 
> Complaining about ND seems odd if sites tolerate ARP. Anybody else remember ARP storms? ND was designed to avoid that risk.
> 
> All these are FUD arguments used in support of operational inertia.
> 
>       Brian
>

v2.23.0 | Report a Bug | By Email